Evolving digital evidence laws, the changing IT landscape and the reliance on audit log data has the is causing financial losses and a false sense of security for organisations

1. Audit Trail Protection:
Avoiding a False Sense of
Security
Nadeem Bukhari CISSP, CISM
VP of Product Strategy
Kinamik Data Integrity S.L.
Tel Mobile: +34 628 629 322
Tel Office: +34 931 835 814
Email: nbukhari@kinamik.com
Website: http://www.kinamik.com

2. - 2 -
Data Integrity
 Data integrity is data that has a
complete or whole structure. All
characteristics of the data including
business rules, rules for how pieces
of data relate, dates, definitions and
lineage must be correct for data to be
complete
http://en.wikipedia.org/wiki/Data_inte
grity
 integrity - the property of
safeguarding the accuracy and
completeness of assets [ISO/IEC
13335-1:2004]
Data QualityData Security

3. - 3 -
Audit Trails Evolution
 Audit trail collection, preservation
and reporting regulatory and
compliance demands
 e.g. PCI DSS, FISMA, FDA 21 CRF
Part 11, EU DRD, SoX, SEC 14a,
ISO27001,..
 Audit logs are company records.
 SIEM & Log Management Market
 Worldwide revenue for SIEM was
$663.3 million in 2008 and is expected
to grow to $1.4 billion in 2013” IDC
 Estimated growth of audit trails
 average overall data volume growth
rate reported is just over 30% per
year. Aberdeen
 Mobile market data growth
exponential
Credit for image: jscreationzs

4. - 4 -
Audit Trails Issues
 Which audit trails to collect?
 Over collection
 Too Many Alerts
 Evolving attack signatures
 Inconsistent data formats
 Developers need to know the
audience i.e. security, compliance,
LOB...
 Differing retention requirements
 Excessive storage costs
 Liabilities

5. - 5 -
Audit Trails Security
 Changing audit trails knowledge is in the
mainstream
 Security perimeter to the data element
 NOT near real-time protection false
sense of security
 “system logs need to be protected, because if
the data can be modified or data in them
deleted, their existence may create a false
sense of security.” ISO27001

6. - 6 -
Audit Trails Preservation
 Digital Evidence
 American Express Travel Related Services Co. Inc. vs
Vee Vinhee
 Lorraine v. Markel American Insurance Company
 California v Khaled
 BS10008 – Evidential Weight and Legal
Admissibility of Electronic Information
 NIST SP 800-92 - Guide to Computer Security Log
Management
 “In cases where logs may be needed as evidence,
organizations may wish to acquire copies of the original
log files”

7. - 7 -
Audit Trails and the Cloud
 High value target
 The service provider admins have
access?
 You cannot control below the
hypervisor
 Service Provider Developers
 Focus on Service first
 Do not know the entire audience
 Access to logs contain Multi-tenant
information
 Incident Response/ Forensics
 Can you gather evidence?
 Will the audit log data’s authenticity be
provable?

8. - 8 -
The Depth of Secure Logging
 M.Bellare and B.Yee – Forward integrity for secure audit
logs (1997)
 Bruce Schneier/ John Kelsey - Secure Audit Logs to
Support Computer Forensics (1999)
 J.Holt – Logcrypt: Forward security and public
verification for secure audit logs (2006)
 Rafael Accorsi – Safekeeping Digital Evidence with
Secure Logging Protocols: State of the Art and
Challenges (2009)
 Transmission Phase - Origin authentication, message
confidentiality, message integrity, message uniqueness, reliable
delivery
 Storage Phase - Entry accountability, entry integrity, entry
confidentiality
 Jeff Jonas (IBM Chief Scientist) / Markle Foundation -
Implementing a Trusted Information Sharing
Environment: Using Immutable Audit Logs to Increase
Security, Trust, and Accountability (2006)
 “Immutable audit logs (IALs) will be a critical component for the
information sharing environment”
#MAC
DATA + Metadata #MAC=
#MAC
DATA + Metadata #MAC=
#MAC
DATA + Metadata #MAC=
DATA + Metadata #MAC=
…

9. - 9 -
Audit Trails Integrity – Things to consider
 Batching audit trails (e.g. file)
 windows of opportunity for undetectable
manipulation
 Single change = maximal loss
 Near real-time protection
 Makes undetectable tampering very difficult
 Sequential (chronology) – Great for
digital evidence
 Key´s protection – What if they are
compromised?
 Overheads
 Performance
 Storage
 Broken Crypto Algorithms – Tool need to be
able to change

10. - 10 -
Audit Trails Availability
 Retention period by audit trail
needs to be definable
 Tiered storage – Online only gets
expensive
 Degradation/ de-commissioned

11. - 11 -
Audit Trails Confidentiality Issues
 Access Control
 Vulnerable to privileged accounts
 Segregation
 Collusion
 Encryption
 Only for confidentiality

12. - 12 -
Non-Repudation
 Not possible to - deny the truth or
validity of something
 “A service that provides proof of
the integrity and origin of data”
 “An authentication that with high
assurance can be asserted to be
genuine.”
 Identity Assurance + Assured event
 End to end trust/ Chain of custody
 Ethics – Non-repudation is
inevitable, use the technology to
support privacy policy

13. - 13 -
Conclusion
 Audit trail evolution brings greater reliance
 Digit Evidence evolution brings doubt in current authenticity controls
 Granular/ real time data Integrity protection brings data centricity
Controls
 Cloud computing environments thrive with data centric protection

14. - 14 -
Nadeem Bukhari CISSP, CISM
VP of Product Strategy
Kinamik Data Integrity S.L.
Tel Mobile: +34 628 629 322
Tel Office: +34 931 835 814
Email: nbukhari@kinamik.com
Website: http://www.kinamik.com